Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Unicode Technique Used to Deliver Cryptomining Malware Through Telegram

It’s just the latest reported vulnerability for the secure messaging application.

Attackers are using the time-tested right-to-left override technique to deliver cryptomining malware through the popular Telegram messaging application, say researchers.

The right-to-left (RLO) technique uses Unicode to hide malicious file names and trick users into executing what appear to be benign files. It is a tactic that enables malware authors to hide the real name of a malicious executable.

The vulnerability was found by Kaspersky Lab in the Telegram’s Windows client in October 2017, according to Alexey Firsh, a security expert at Kaspersky Lab, in a report released Tuesday.

Firsh gave the example of the RLO attack in action. For example, hidden in the file name is Unicode that reverses the order of the characters that follow it. So, for example, the malicious JavaScript executable with the name “gnp.js” becomes what appears to be a benign PNG image file “sj.png”.

In the case of the file used in the Telegram attack the file name is “photo_high_re*U+202E*gnp.js” that displays as “photo_high_resj.png”. The “*U+202E*” is the RLO character to make Telegram display the remaining string “gnp.js” in reverse, researchers said.

When a user clicks on the file within the Messenger client it sees the standard Windows security message warning users to use caution when executing JavaScript files from unknown sources. If the user clicks on “Run”, the malicious file is launched.

The RTL override technique has been used by malware authors for quite some time, with researchers at Mozilla reporting on it as far back as 2009.

It’s not clear what versions of Telegram were affected but the vulnerability was exploited in Windows clients beginning in March 2017, Firsh said. Kaspersky alerted Telegram to the issue and the vulnerability has been mitigated.

Telegram did not return a request for comment for this story.

The second stage in the attacks observed by researchers include exploiting the boom in cryptocurrency values via installing cryptocurrency mining software or possibly robbing a hosted cryptocurrency wallet.

After the user clicks on the obfuscated JavaScript file it opens a self-extracting archive (SFX) of a batch file (BAT) that first disables Windows security features, then launches a decoy image file and next, downloads both the cryptocurrency miners Fantomcoin (for Monero) and Equihash (for Zcash) from an FTP server.

Researchers said other variants of the script exist and contain the miner CryptoNight and tools such as a Remote Manipulator System (RMS) client, similar to remote desktop software TeamViewer. “Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access,” researchers wrote.

The available evidence shows that only Russian cybercriminals knew of the Telegram vulnerability. Additionally, Firsh said research only identified instances of the attack occurring in Russia.

Telegram is the favored messaging platform among the cryptocurrency community. The company recently announced plans for its own cryptocurrency, with the intention being to leverage Telegram’s 180 million users to push cryptocurrency into the mainstream, as TechCrunch reported.

While Telegram is touted as highly secure, it has experienced other vulnerabilities in the past. Last year, Check Point reported on a vulnerability in the web version of Telegram that would have allowed attackers to gain access to a user’s personal data under certain conditions.

In 2016, researchers disclosed another vulnerability in Telegram they said would give attackers the means to crash users’ devices and run up data charges. Telegram disputed the researchers’ conclusions.

The most serious vulnerabilities in Cisco’s 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.